CVE-2024-56197 LOW

CVE-2024-56197: Users can see other user's tagged PMs in Discourse

Vendor Discourse
Product discourse
Weakness CWE-200 · Info exposure
Published February 4, 2025
Last update February 5, 2025

CVSS base score

2.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Discourse is an open source platform for community discussion. PM titles and metadata can be read by other users when the "PM tags allowed for groups" option is enabled, the other user is a member of a group added to this option, and the PM has been tagged. This issue has been patched in the latest `stable`, `beta` and `tests-passed` versions of Discourse. Users are advised to upgrade. Users unable to upgrade should remove all groups from the the "PM tags allowed for groups" option.

Key dates

02Disclosure timeline

February 4, 2025 CVE published
February 5, 2025 Record updated